Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1582
Views
1
Helpful
2
Replies

Remove Old or Unneeded Client Profile With Script or Other Method Remotely

dcchamilton
Level 1
Level 1

‎06-15-2020 10:44 AM

Greetings, I have done some searching and yet to find an answer but admit I might have not used the correct search criteria.

We use our ASA to allow many outside agencies to remote to an internal app server. Unfortunately this has been in place for many years and our AnyConnect client profiles have changed over time. However, due to the Hostname in the Server List entries has remained the same from lack of foresight, so we have users with multiple client profiles using the same hostname. When I a user connects, they could literally be using one client profile to establish a connection, and then be authenticated with another, due to the client grabbing the first one it finds, and the ASA assigning the profile they are a member of. Viewing the logs, I can see this happen. If I use Tunnel Group Lock, it can block a user from being able to connect, due to the client picking the wrong client profile, and the login fails. I would like to know if there is a way to use a script or some other method to remove, move or rename an old client profile from the Anyconnect profile folder remotely when the user connects to the ASA, using a script without elevated permissions or some other method?

 

When the client is first installed, it needs elevated permissions, however it does not need the permissions to upgrade, or download and overwrite a new profile, so why can't it delete and existing profile that is no longer needed, or desired? The same folder is used, and roughly the same permissions are needed to overwrite as rename. However when I use a script in the ASA Customization/Localzation to try to rename a specific profile, it fails due to lack of permissions.

 

I might be overlooking another obvious option, but it seems to me if the client can update itself, replace/update an existing profile, it should be able to rename a file extension from ".xml" to something else like ".old"so it will not be recognized by the client when it  starts. Or just remove one that is no longer needed, if requested to do so.

 

Is this at all possible?

 

Sorry for the long novel!

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-15-2020 08:02 PM

I'm pretty sure you cannot do that from within AnyConnect or any configuration on the headend.

Unfortunately you will have to run something like an SCCM job to accomplish what you are asking.

0 Helpful

dcchamilton
Level 1
Level 1
In response to Marvin Rhoads

‎06-17-2020 08:26 AM

Thanks for your input. Unfortunately these are all mostly unmanaged devices we have little or no control of, so SCCM will not work. The usage is for First Responders throughout our county, and most are not part of our organization. I was just hoping that the scripting could be used to clean up the old or unused profiles silently without having to cause the end users trouble connecting at any hour of the day if we push out a new profile with a different hostname. Cleaning out the old profiles that are not needed would be an easy best solution. We know the profile names that need to be removed. A script works only when run manually but needs the additional permission. The bigger question, is if the VPN client can update a profile in its own folder structure, why can't it run a script to update its own folder structure, or rename/move/delete an old profile? The local Cisco Agent is run as System on the local PC which has "full" control of the folders so it should work.

Customers Also Viewed These Support Documents